The Malicious Code: A Tale of Anthropic Skill Scanners and Test File Intrusion

Picture this scenario: An Anthropic Skill scanner runs a full analysis of a Skill pulled from ClawHub or skills.sh. Its markdown instructions are clean, and no prompt injection is detected. No shell commands are hiding in the SKILL.md. Green across the board.

The scanner never looked at the .test.ts file sitting one directory over. It didn’t need to. Test files aren’t part of the agent execution surface, so no publicly documented scanner inspects them (as of publication of this post). The file runs anyway. Not through the agent but through the test runner, with full access to the filesystem, environment variables, and SSH keys.

Gecko Security researcher Jeevan Jutla detailed this attack flow, demonstrating that when a developer runs npx Skills add, the installer copies the entire skill directory into the repo. If a malicious Skill bundles a *.test.ts file, the Jest and Vitest testing frameworks discover it through recursive glob patterns, treat it as a first-class test, and execute it during npm test or when the IDE auto-runs tests on save. The default configuration in open-source JavaScript test framework Mocha follows a similar recursive discovery pattern. The payload fires in beforeAll, before any assertions run. Nothing in the test output flags anything unusual. In CI, process.env holds deployment tokens, cloud credentials, and every secret the pipeline can reach.

The attack class is not new; malicious npm postinstall scripts and pytest plugins have exploited trust-on-install for years. What makes the Skill vector worse is that installed Skills land in a directory designed to be committed and shared across the team, propagate to every teammate who clones, and sit outside every scanner’s detection surface.

The agent is never invoked, and the Anthropic Skill scanner reads the right files for the wrong threat model.

Three audits, one blind spot

Gecko’s disclosure didn’t arrive in isolation. It landed on top of two large-scale security audits that had already documented the scope of the problem from the other direction, illustrating what scanners detect rather than what they miss. Both audits did exactly what they’re designed to do: They measured the threat on the execution surface scanners already inspect. Gecko measured what sits outside it.

A SkillScan academic study, published on January 15, analyzed 31,132 unique Anthropic Skills collected from two major marketplaces. Their findings: 26.1% of Skills contained at least one vulnerability spanning 14 distinct patterns across four categories. Data exfiltration showed up in 13.3% of Skills. Privilege escalation appeared in 11.8%. Skills bundling executable scripts were 2.12x more likely to contain vulnerabilities than instruction-only Skills.

Three weeks later, Snyk published ToxicSkills, the first comprehensive security audit of the ClawHub and skills.sh marketplaces. Snyk’s team scanned 3,984 Skills (as of February 5). The results: 13.4% of all Skills contained at least one critical-level security issue. Seventy-six confirmed malicious payloads were identified through a combination of automated scanning and human-in-the-loop review. Eight of those malicious Skills were still publicly available on ClawHub when the research was published.

Then Cisco shipped its AI Agent Security Scanner for IDEs on April 21, integrating its open-source Skill Scanner directly into VS Code, Cursor, and Windsurf. The scanner brings genuine capability to developers’ workflows. It does not inspect bundled test files, because the detection categories Cisco built target the agent interaction layer, not the developer toolchain layer.

The three major Anthropic Skill scanners share a structural blind spot: None inspects bundled test files as an execution surface, even though Gecko Security proved that those files execute with full local permissions through standard test runners.

Snyk Agent Scan, Cisco’s AI Agent Security Scanner, and VirusTotal Code Insight all work. They catch prompt injection, shell commands, and data exfiltration in Skill definitions and agent-referenced scripts. What they do not do is look beyond the agent execution surface to the developer execution surface sitting in the same directory.

How the attack chain works

The mechanics of the attack chain matter because the fix is precise. When a developer runs npx skills add owner/repo-name, the installer clones the Skill repository and copies its contents into .agents/skills/<skill-name>/ inside the project. Claude Code, Cursor, and other agent IDEs get symlinks into their own Skill directories. The only files excluded are .git, metadata.json, and files prefixed with _. Everything else lands on disk.

Jest and Vitest both pass dot: true to their glob engines. That means they discover test files inside dot-prefixed directories like .agents/. Mocha’s behavior depends on configuration but follows similar recursive patterns by default. None of them exclude .agents/, .claude/, or .cursor/ from their default discovery paths.

An attacker publishes a Skill with a clean SKILL.md and a tests/reviewer.test.ts file containing a beforeAll block. The block reads process.env, .env files, ~/.ssh/ private keys, and ~/.aws/credentials. It posts everything to an external endpoint. The test cases look real. The exfiltration happens during setup, silently, whether the tests pass or fail.

The vector is not limited to TypeScript. Python repos face the same exposure through conftest.py, which pytest auto-executes during test collection. Add .agents to testpaths exclusion in pyproject.toml to block it.

The .agents/skills/ directory is designed to be committed to the repo so teammates can share Skills. GitHub’s default .gitignore templates do not include .agents/. Once the malicious test file enters the repo, every developer who clones and runs tests executes the payload. So does every CI pipeline on every branch and every fork that inherits the test suite.

Scanners are reading the wrong threat surface

CrowdStrike CTO Elia Zaitsev put the structural challenge in operational terms during an exclusive VentureBeat interview at RSAC 2026. “Observing actual kinetic actions is a structured, solvable problem,” Zaitsev said. “Intent is not.”

That distinction cuts directly at the Anthropic Skill scanner gap. No publicly documented scanner operates outside the assumption that the threat lives in the SKILL.md and in scripts the agent is instructed to run. These tools analyze intent: What does the Skill tell the agent to do? Gecko’s finding sits on the kinetic side. The test file executes through the developer’s own toolchain. No agent is involved. No prompt is interpreted. The payload is TypeScript, running with full local permissions through a legitimate test runner. The scanner was addressing the wrong issue by not detecting malicious test files in the environment variables accessible to any process in the repository. CrowdStrike’s Zaitsev highlighted the rapid expansion of AI agents and non-human identities in enterprises, with each agent having privileged access and continuous access to data sets. This presents a significant security risk as threat actors can reverse engineer patches within 72 hours, leaving enterprises vulnerable to exploitation if patches are not implemented promptly.

The Anthropic Skill Audit Grid provides a framework for evaluating Skill scanning tools and identifying gaps in the detection of potential threats. It recommends actions such as inspecting agent-invoked scripts, bundling test files, and restricting test-runner globs to project-owned paths to enhance security measures.

Three CI hardening steps are suggested to strengthen security controls and mitigate risks associated with Anthropic Skills. These steps include adding .agents/ to the test runner’s ignore list, auditing every Skill install for non-instruction files before merge, and pinning Skill sources to specific commits to prevent unauthorized changes after approval.

To ensure comprehensive security measures, five questions are provided to ask Anthropic Skill scanner vendors before making a purchase decision. These questions aim to assess the effectiveness of the scanning tool in detecting vulnerabilities and mitigating potential threats. The importance of thorough analysis in Skill repositories

When evaluating the security of a Skill repository, it is crucial to go beyond simply asking “Do you detect prompt injection?” There are several key questions that need to be addressed to ensure a comprehensive assessment:

1. Which files and directories are actually analyzed in a Skill repo?

Understanding the scope of analysis is essential to identify potential vulnerabilities within the repository. It is important to determine which specific files and directories are being scrutinized for security risks.

2. Do test files serve as potential execution surfaces?

Test files, while necessary for validating code functionality, can also pose security risks if not properly handled. It is essential to assess whether test files are being treated as potential points of entry for malicious attacks.

3. Can Skills bundling tests, CI configs, or build scripts be flagged as higher-risk?

Research has shown that Skills bundling scripts are more likely to be vulnerable. It is crucial to determine if the repository flags such Skills as higher-risk and implements additional security measures accordingly.

4. Is there integration or guidance for restricting test-runner globs in CI?

Providing guidance on restricting test-runner globs in CI can help enhance security measures within the repository. Transparency in detection categories and scanning logic, as demonstrated by open-source tools like Cisco’s Skill Scanner, is essential for verifying the effectiveness of security protocols.

5. Has an ecosystem-scale audit been published with methodology and sample size?

Ecosystem-scale audits provide valuable insights into the overall security of a repository. Publishing audit results, methodology, and sample size can help security teams assess the reliability of the assessment and identify potential areas of improvement.

The significance of the audit grid in addressing security gaps

The Anthropic Skills ecosystem, reminiscent of early npm supply chain vulnerabilities, highlights the importance of thorough security assessments. SkillScan’s extensive dataset revealed vulnerabilities in a quarter of the ecosystem, underscoring the need for comprehensive security measures.

Scanner evaluations typically focus on covered surfaces, but the test-file vector presents a unique challenge. With no scanner flagging the threat, patch windows are nonexistent, emphasizing the need for proactive security measures.

While scanners play a crucial role in detecting vulnerabilities, they are not infallible. The threat model must extend beyond the agent to encompass potential risks posed by test runners. By implementing the seven audit surfaces outlined in the Anthropic Skill Audit Grid, security teams can enhance their repository’s security posture and mitigate potential risks effectively.